Understanding Vulnerabilities in WordPress Plugins
Every week, we highlight known vulnerabilities in WordPress plugins. This information helps you stay informed about potential risks and take appropriate action to protect your website. By addressing these vulnerabilities, you ensure the safety and integrity of your WordPress site and its data.
Plugin: Posti Shipping
Vulnerability: Full Path Disclosure
Patched Version: 3.10.3
Recommended Action: Update to version 3.10.3, or a newer patched version
Plugin: LegalWeb Cloud
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.1.3
Recommended Action: Update to version 1.1.3, or a newer patched version
Plugin: StreamWeasels YouTube Integration
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.7
Recommended Action: Update to version 1.3.7, or a newer patched version
Plugin: Pie Register Premium
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version
Plugin: JobSearch WP Job Board
Vulnerability: Authentication Bypass to Account Takeover and Privilege Escalation
Patched Version: 2.6.8
Recommended Action: Update to version 2.6.8, or a newer patched version
Plugin: FloristPress – Customize your Woo store for your Florist
Vulnerability: Missing Authorization to Sensitive Data Exposure
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version
Plugin: TI WooCommerce Wishlist
Vulnerability: Missing Authorization to Unauthenticated Plugin Setup Wizard Access
Patched Version: 2.9.2
Recommended Action: Update to version 2.9.2, or a newer patched version
Plugin: Plug your WooCommerce into the largest catalog of customized print products from Helloprint
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 2.0.5
Recommended Action: Update to version 2.0.5, or a newer patched version
Plugin: Softtemplates For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Vulnerability: Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover
Patched Version: 24.0.8
Recommended Action: Update to version 24.0.8, or a newer patched version
Plugin: ARforms
Vulnerability: Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP GeoNames
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.9
Recommended Action: Update to version 1.9, or a newer patched version
Plugin: Yaad Sarig Payment Gateway For WC
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Log Read/Deletion
Patched Version: 2.2.5
Recommended Action: Update to version 2.2.5, or a newer patched version
Plugin: Namaste! LMS
Vulnerability: Cross-Site Request Forgery
Patched Version: 2.6.5
Recommended Action: Update to version 2.6.5, or a newer patched version
Plugin: FloristPress – Customize your Woo store for your Florist
Vulnerability: Missing Authorization to Arbitrary Content Deletion
Patched Version: 7.4.0
Recommended Action: Update to version 7.4.0, or a newer patched version
Plugin: EmbedPress – Embed PDF, PDF 3D FlipBook, Instagram Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Maps & Upload PDF Documents
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ‘provider_name’
Patched Version: 4.1.4
Recommended Action: Update to version 4.1.4, or a newer patched version
Plugin: All Bootstrap Blocks
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 1.3.20
Recommended Action: Update to version 1.3.20, or a newer patched version
Plugin: Intro Tour Tutorial DeepPresentation
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 6.5.3
Recommended Action: Update to version 6.5.3, or a newer patched version
Plugin: Photo Video Store
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Paloma Widget
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AWeber Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Image Alt Text
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Image Alt Text Update
Patched Version: 3.0.0
Recommended Action: Update to version 3.0.0, or a newer patched version
Plugin: Block Controller
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: File Manager Pro – Filester
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 1.8.5
Recommended Action: Update to version 1.8.5, or a newer patched version
Plugin: Tutor LMS Elementor Addons
Vulnerability: Missing Authorization
Patched Version: 2.1.6
Recommended Action: Update to version 2.1.6, or a newer patched version
Plugin: WP MathJax
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: LA-Studio Element Kit for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.4.5
Recommended Action: Update to version 1.4.5, or a newer patched version
Plugin: Chatter
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: DSGVO All in one for WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.6
Recommended Action: Update to version 4.6, or a newer patched version
Plugin: Enter Addons – Ultimate Template Builder for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.0
Recommended Action: Update to version 2.2.0, or a newer patched version
Plugin: Random Banner
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress
Vulnerability: Insecure Direct Object Reference
Patched Version: 20.8.1
Recommended Action: Update to version 20.8.1, or a newer patched version
Plugin: IdeaPush
Vulnerability: Missing Authorization to Board Term Deletion
Patched Version: 8.72
Recommended Action: Update to version 8.72, or a newer patched version
Plugin: Sparkle Elementor Kit
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic)
Vulnerability: Authenticated (Administrator+) SQL Injection via post_id Parameter
Patched Version: 1.2.2
Recommended Action: Update to version 1.2.2, or a newer patched version
Plugin: PDF Generator Addon for Elementor Page Builder
Vulnerability: Unauthenticated Arbitrary File Download
Patched Version: 2.0.1
Recommended Action: Update to version 2.0.1, or a newer patched version
Plugin: Counter Up – Animated Number Counter & Milestone Showcase
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Knowledge Base documentation & wiki plugin – BasePress Docs
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Database Update
Patched Version: 2.16.3.4
Recommended Action: Update to version 2.16.3.4, or a newer patched version
Plugin: Hustle – Email Marketing, Lead Generation, Optins, Popups
Vulnerability: Missing Authorization to Unauthorized Form Submission
Patched Version: 7.8.6
Recommended Action: Update to version 7.8.6, or a newer patched version
Plugin: DancePress (TRWA)
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pixobe Cartography
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Social Sharing Plugin – Sassy Social Share
Vulnerability: Reflected Cross-Site Scripting via heateor_mastodon_share Parameter
Patched Version: 3.3.70
Recommended Action: Update to version 3.3.70, or a newer patched version
Plugin: Essential Breadcrumbs
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AIO Contact
Vulnerability: Missing Authorization
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Vulnerability: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget
Patched Version: 5.10.6
Recommended Action: Update to version 5.10.6, or a newer patched version
Plugin: Futurio Extra
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag
Patched Version: 2.0.15
Recommended Action: Update to version 2.0.15, or a newer patched version
Plugin: WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.9
Recommended Action: Update to version 1.8.9, or a newer patched version
Plugin: Stripe Donation
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mermaid
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Capitalize My Title WordPress Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pie Register – Social Sites Login (Add on)
Vulnerability: Authentication Bypass
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: Bold Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 5.2.2
Recommended Action: Update to version 5.2.2, or a newer patched version
Plugin: Lenxel Core
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BMLT Tabbed Map
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Ajar in5 Embed
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: 3.1.4
Recommended Action: Update to version 3.1.4, or a newer patched version
Plugin: Royal Elementor Addons and Templates
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.7.1004
Recommended Action: Update to version 1.7.1004, or a newer patched version
Plugin: Ragic Shortcode
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3
Recommended Action: Update to version 1.3, or a newer patched version
Plugin: Newsletter, Email Marketing, Email Subscriber – Mail Picker
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Lenxel Core
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: SpatialMatch IDX
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Button Plus
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced Element Bucket Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Revy
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Elementor Image Gallery Plugin ( Masonry Gallery, Elementor Gallery Plugin With Captions, Elementor Portfolio Gallery Widget, Filterable Gallery )
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting via Form Color Parameters
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Best Addons for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Asset CleanUp: Page Speed Booster
Vulnerability: Authenticated (Admin+) Server-Side Request Forgery
Patched Version: 1.3.9.9
Recommended Action: Update to version 1.3.9.9, or a newer patched version
Plugin: My auctions allegro
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.6.18
Recommended Action: Update to version 3.6.18, or a newer patched version
Plugin: Maspik – Advanced Spam Protection
Vulnerability: Cross-Site Request Forgery to Plugin Settings Change
Patched Version: 2.2.8
Recommended Action: Update to version 2.2.8, or a newer patched version
Plugin: WP Travel – Ultimate Travel Booking System, Tour Management Engine
Vulnerability: Missing Authorization
Patched Version: 9.7.0
Recommended Action: Update to version 9.7.0, or a newer patched version
Plugin: Mins To Read
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Header and Footer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.7.0
Recommended Action: Update to version 2.7.0, or a newer patched version
Plugin: WPCasa
Vulnerability: Insecure Direct Object Reference
Patched Version: 1.3.0
Recommended Action: Update to version 1.3.0, or a newer patched version
Plugin: Yahoo! WebPlayer
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: NEX-Forms – Ultimate Form Builder – Contact forms and much more
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 8.7.9
Recommended Action: Update to version 8.7.9, or a newer patched version
Plugin: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
Vulnerability: Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Patched Version: 4.15.19
Recommended Action: Update to version 4.15.19, or a newer patched version
Plugin: Smart Marketing SMS and Newsletters Forms
Vulnerability: Missing Authorization
Patched Version: 5.0.5
Recommended Action: Update to version 5.0.5, or a newer patched version
Plugin: Primary Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.6.3
Recommended Action: Update to version 1.6.3, or a newer patched version
Plugin: Revy
Vulnerability: Unauthenticated Arbitrary File Upload
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Ni WooCommerce Cost Of Goods
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Mailster
Vulnerability: Missing Authorization
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version
Plugin: Connexion Logs
Vulnerability: Authenticated (Admin+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WordPress Auction Plugin
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Form Data Collector
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.2.4
Recommended Action: Update to version 2.2.4, or a newer patched version
Plugin: ArCa Payment Gateway
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: jAlbum Bridge
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter
Patched Version: 2.0.16
Recommended Action: Update to version 2.0.16, or a newer patched version
Plugin: Pricing Tables For WPBakery Page Builder (formerly Visual Composer)
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via wdo_pricing_tables Shortcode
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CultBooking Hotel Booking Engine
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Beaver Builder – WordPress Page Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.8.4.4
Recommended Action: Update to version 2.8.4.4, or a newer patched version
Plugin: Charity Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Quick License Manager – WooCommerce Plugin
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4.18
Recommended Action: Update to version 2.4.18, or a newer patched version
Plugin: File Manager Pro – Filester
Vulnerability: Authenticated (Administrator+) Local JavaScript File Inclusion
Patched Version: 1.8.6
Recommended Action: Update to version 1.8.6, or a newer patched version
Plugin: Donate Me
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: CMSMasters Elementor Addon
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Patched Version: 1.15.0
Recommended Action: Update to version 1.15.0, or a newer patched version
Plugin: HLS Player
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.0.11
Recommended Action: Update to version 1.0.11, or a newer patched version
Plugin: SimpleSchema Free
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WooCommerce Ultimate Gift Card
Vulnerability: Create, Sell and Manage Gift Cards with Customized Email Templates < 2.9.1
Patched Version: 2.9.1
Recommended Action: Update to version 2.9.1, or a newer patched version
Plugin: Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: WordPress Page Builder – Zion Builder
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Vertical Carousel
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Widget Options – The #1 WordPress Widget & Block Control Plugin
Vulnerability: Authenticated (Contributor+) Remote Code Execution
Patched Version: 4.0.8
Recommended Action: Update to version 4.0.8, or a newer patched version
Plugin: Znajdź Pracę z Praca.pl
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Classified Listing – Classified ads & Business Directory Plugin
Vulnerability: Authenticated (Contributor+) Local File Inclusion
Patched Version: 3.1.17
Recommended Action: Update to version 3.1.17, or a newer patched version
Plugin: WP Mailster
Vulnerability: Missing Authorization
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version
Plugin: WP Mailster
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.8.18.0
Recommended Action: Update to version 1.8.18.0, or a newer patched version
Plugin: Church Admin
Vulnerability: Missing Authorization
Patched Version: 5.0.9
Recommended Action: Update to version 5.0.9, or a newer patched version
Plugin: Flower Delivery by Florist One
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 3.9.1
Recommended Action: Update to version 3.9.1, or a newer patched version
Plugin: Campaign Monitor Forms by Optin Cat
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.5.8
Recommended Action: Update to version 2.5.8, or a newer patched version
Plugin: Classic Addons – WPBakery Page Builder
Vulnerability: Authenticated (Contributor+) Limited Local PHP File Inclusion
Patched Version: 3.1
Recommended Action: Update to version 3.1, or a newer patched version
Plugin: Plugin
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Themesflat Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 2.2.3
Recommended Action: Update to version 2.2.3, or a newer patched version
Plugin: SEO Landing Page Generator
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.66.3
Recommended Action: Update to version 1.66.3, or a newer patched version
Plugin: Build App Online
Vulnerability: Cross-Site Request Forgery
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced What should we write next about
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FileBird – WordPress Media Library Folders & File Manager
Vulnerability: Missing Authorization
Patched Version: 6.3.4
Recommended Action: Update to version 6.3.4, or a newer patched version
Plugin: WP Mailster
Vulnerability: Authenticated (Contributor+) SQL Injection via orderby
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version
Plugin: WordPress Auction Plugin
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Genoo
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.13
Recommended Action: Update to version 6.0.13, or a newer patched version
Plugin: Cowidgets – Elementor Addons
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Auto Featured Image from Title
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 2.4
Recommended Action: Update to version 2.4, or a newer patched version
Plugin: Restaurant & Cafe Addon for Elementor
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 1.6.0
Recommended Action: Update to version 1.6.0, or a newer patched version
Plugin: Z-Downloads
Vulnerability: Authenticated (Administrator+) Stored Cross-Site Scripting
Patched Version: 1.11.8
Recommended Action: Update to version 1.11.8, or a newer patched version
Plugin: Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 4.1.16
Recommended Action: Update to version 4.1.16, or a newer patched version
Plugin: Kudos Donations – Easy donations and payments with Mollie
Vulnerability: Reflected Cross-Site Scripting via ‘add_query_arg’
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: FAT Services Booking
Vulnerability: Authenticated (Subscriber+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Awesome Shortcodes
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)
Vulnerability: Missing Authorization
Patched Version: 5.5.0
Recommended Action: Update to version 5.5.0, or a newer patched version
Plugin: 소셜 공유 버튼 By 코스모스팜
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Out Of Stock Badge
Vulnerability: Cross-Site Request Forgery to Stored Cross-site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: FAT Services Booking
Vulnerability: Unauthenticated SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Content Audit Exporter
Vulnerability: Unauthenticated Sensitive Information Exposure
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Accessibility by AllAccessible
Vulnerability: Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Patched Version: 1.3.5
Recommended Action: Update to version 1.3.5, or a newer patched version
Plugin: Team Member – Multi Language Supported Team Plugin
Vulnerability: Authenticated (Editor+) Local File Inclusion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Tumult Hype Animations
Vulnerability: Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function
Patched Version: 1.9.16
Recommended Action: Update to version 1.9.16, or a newer patched version
Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Vulnerability: Authenticated (Project Manager+) SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Devnex Addons For Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Post Carousel Slider for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Spectra – WordPress Gutenberg Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget
Patched Version: 2.16.3
Recommended Action: Update to version 2.16.3, or a newer patched version
Plugin: FAQ Builder AYS
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.7.2
Recommended Action: Update to version 1.7.2, or a newer patched version
Plugin: Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Vulnerability: Unauthetnicated Path Traversal to Arbitrary Image View
Patched Version: 3.0.7
Recommended Action: Update to version 3.0.7, or a newer patched version
Plugin: FastBook – Responsive Appointment Booking and Scheduling System
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: PayPal Responder
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder
Vulnerability: Authenticated (Administrator+) Arbitrary File Upload
Patched Version: 1.1.0
Recommended Action: Update to version 1.1.0, or a newer patched version
Plugin: Multilevel Referral Affiliate Plugin for WooCommerce
Vulnerability: Reflected Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: WP Job Manager – Company Profiles
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 1.8
Recommended Action: Update to version 1.8, or a newer patched version
Plugin: eDoc Easy Tables – Best WordPress Table Maker
Vulnerability: Cross-Site Request Forgery to SQL Injection
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Omnipress
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Login with Vipps and MobilePay
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.4
Recommended Action: Update to version 1.3.4, or a newer patched version
Plugin: Watu Quiz
Vulnerability: Authenticated (Contributor+) SQL Injection
Patched Version: 3.4.1.3
Recommended Action: Update to version 3.4.1.3, or a newer patched version
Plugin: ARforms
Vulnerability: Missing Authorization to Plugin Settings Change
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: BP Profile Shortcodes Extra
Vulnerability: Authenticated (Contributor+) SQL Injection via tab Parameter
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Responsive Lightbox & Gallery
Vulnerability: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
Patched Version: 2.4.9
Recommended Action: Update to version 2.4.9, or a newer patched version
Plugin: RingCentral Communications Plugin – FREE
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Third Party Cookie Eraser
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Captivate Sync
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Patched Version: 2.0.26
Recommended Action: Update to version 2.0.26, or a newer patched version
Plugin: Simple User Registration
Vulnerability: Missing Authorization to User Deletion
Patched Version: 6.0
Recommended Action: Update to version 6.0, or a newer patched version
Plugin: Goodlayers Core
Vulnerability: Reflected Cross-Site Scripting via ‘font-family’
Patched Version: 2.0.8
Recommended Action: Update to version 2.0.8, or a newer patched version
Plugin: Beds24 Online Booking
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via beds24-link Shortcode
Patched Version: 2.0.28
Recommended Action: Update to version 2.0.28, or a newer patched version
Plugin: Countdown Timer for Elementor
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 6.0.1
Recommended Action: Update to version 6.0.1, or a newer patched version
Plugin: WP Mailster
Vulnerability: Unauthenticated Information Exposure
Patched Version: 1.8.17.0
Recommended Action: Update to version 1.8.17.0, or a newer patched version
Plugin: Load More Posts
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: AIO Contact
Vulnerability: Unauthenticated Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Simple Popup Plugin
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: B Testimonial – Testimonial plugin for WP
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.2.3
Recommended Action: Update to version 1.2.3, or a newer patched version
Plugin: Custom Post Type to Map Store
Vulnerability: Cross-Site Request Forgery to Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Pie Register Premium
Vulnerability: Unauthenticated Cross-Site Scripting
Patched Version: 3.8.3.3
Recommended Action: Update to version 3.8.3.3, or a newer patched version
Plugin: Video Player for WPBakery
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Connexion Logs
Vulnerability: Cross-Site Request Forgery to Log Deletion
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Advanced File Manager
Vulnerability: Authenticated (Subscriber+) Arbitrary File Upload
Patched Version: 5.2.11
Recommended Action: Update to version 5.2.11, or a newer patched version
Plugin: WordPress Portfolio Builder – Portfolio Gallery
Vulnerability: Authenticated (Editor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Kudos Donations – Easy donations and payments with Mollie
Vulnerability: Reflected Cross-Site Scripting
Patched Version: 3.3.0
Recommended Action: Update to version 3.3.0, or a newer patched version
Plugin: Dollie Hub – Build Your Own WordPress Cloud Platform
Vulnerability: Authenticated (Contributor+) Post Disclosure
Patched Version: 6.2.1
Recommended Action: Update to version 6.2.1, or a newer patched version
Plugin: WP Find Your Nearest
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
Plugin: Cryptocurrency Widgets For Elementor
Vulnerability: Unauthenticated Local File Inclusion
Patched Version: 1.6.5
Recommended Action: Update to version 1.6.5, or a newer patched version
Plugin: WP News – WordPress News / Magazine Plugin
Vulnerability: Cross-Site Request Forgery to Arbitrary Plugin Activation
Patched Version: 1.2.0
Recommended Action: Update to version 1.2.0, or a newer patched version
Plugin: Pinpoint Booking System – #1 WordPress Booking Plugin
Vulnerability: Authenticated (Subscriber+) SQL Injection
Patched Version: 2.9.9.5.2
Recommended Action: Update to version 2.9.9.5.2, or a newer patched version
Plugin: WordPress Contact Forms by Cimatti
Vulnerability: Cross-Site Request Forgery via process_bulk_action Function
Patched Version: 1.9.3
Recommended Action: Update to version 1.9.3, or a newer patched version
Plugin: WP eCards
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting
Patched Version: 1.3.905
Recommended Action: Update to version 1.3.905, or a newer patched version
Plugin: Arkhe Blocks
Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via block attributes
Patched Version: 2.27.1
Recommended Action: Update to version 2.27.1, or a newer patched version
Plugin: Product Labels For Woocommerce (Sale Badges)
Vulnerability: Authenticated (Administrator+) SQL Injection
Patched Version: 1.5.9
Recommended Action: Update to version 1.5.9, or a newer patched version
Plugin: Wallet for WooCommerce
Vulnerability: Authenticated (Subscriber+) Incorrect Conversion between Numeric Types
Patched Version: 1.5.7
Recommended Action: Update to version 1.5.7, or a newer patched version
Plugin: s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Vulnerability: Unauthenticated Remote Code Execution
Patched Version: No patched version available
Recommended Action: No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.
***
Check out the Watch Out Wednesday Archive for past Watch Out Wednesday posts.
